Which recommendation, if followed, would mitigate this type of attack?

Refer to the exhibit.

An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish a DHCP
server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type of
attack?

Refer to the exhibit.

An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish a DHCP
server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type of
attack?

A.
All switch ports in the Building Access block should be configured as DHCP trusted ports.

B.
All switch ports in the Building Access block should be configured as DHCP untrusted ports.

C.
All switch ports connecting to hosts in the Building Access block should be configured as DHCP
trusted ports.

D.
All switch ports connecting to hosts in the Building Access block should be configured as DHCP
untrusted ports.

E.
All switch ports in the Server Farm block should be configured as DHCP untrusted ports.

F.
All switch ports connecting to servers in the Server Farm block should be configured as DHCP
untrusted ports.

Explanation:
One of the ways that an attacker can gain access to network traffic is to spoof responses that
would be sent by a valid DHCP server. The DHCP spoofing device replies to client DHCP
requests. The legitimate server may reply also, but if the spoofing device is on the same segment
as the client, its reply to the client may arrive first.
The intruder’s DHCP reply offers an IP address and supporting information that designates the
intruder as the default gateway or Domain Name System (DNS) server. In the case of a gateway,
the clients will then forward packets to the attacking device, which will in turn send them to the
desired destination. This is referred to as a “man-in-the-middle” attack, and it may go entirely
undetected as the intruder intercepts the data flow through the network.
Untrusted ports are those that are not explicitly configured as trusted. A DHCP binding table is
built for untrusted ports. Each entry contains the client MAC address, IP address, lease time,

binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is
then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted
access ports should not send any DHCP server responses, such as DHCPOFFER, DHCPACK,
DHCPNAK.
Reference: Understanding and Configuring DHCP Snooping
(http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/13ew/configuration/guide/dhcp.
html)



Leave a Reply 0

Your email address will not be published. Required fields are marked *